make trusted forest account admin on local machine

Discussion in 'Server Migration' started by FigWiggleman, Jan 7, 2010.

  1. FigWiggleman

    FigWiggleman Guest

    We ( have a forest trust with newly acquired partner (
    SID filtering disabled. has a site and DC in their location. All of their IP subnets are part
    of that site definition.

    It was decided to migration workstations before users in our migration plan.
    User accounts to be migrated in future, but first we are migrating

    All clients are XP SP2 or better.
    Cross-forest access to file shares and printers on member servers from both
    forests is working by add global groups from one forest to a domain local
    group in the other forest.

    A workstation is unjoined from it's domain and joined to
    (but stays in it's same physical location and retains it's same IP address.

    So during this transition period of our migration. A user will log
    on to the same workstation they've always used, with their user
    account, but that workstation is now a member of This way the user
    can continue to use the local profile they are accustomed to until we use
    the QUEST tools to migrate the user and local profile later.

    Problem. There is an application (call it "appl1") which "requires" local
    admin access on the local computer to run properly. But we have not been
    able to make that work. It's unloke this is the only app that will require
    some kind elevated access on the workstation and so we are looking for a
    consistent practice for meeting these requirements.

    Things we've tried...
    -We created an\APPL1 domain local group, containing the\APPL1Users global group, then added the\APPL1 domain local
    group to the local administrators group.
    -We also tried same as above but added individual\username accounts
    to\APPL1 domain local group
    -We also tried adding the\username to the local administrators

    None of these configurations have yielded admin rights on the workstations.
    When adding accounts (users or groups) to a local group on a workstation,
    the object picker does not enumerate the trusted domain (, but
    using the\username syntax will work for adding the user object. So
    we CAN add the account to the local group in the GUI, but the net effect
    does not yield admin rights on the workstation.

    Is this normal? Can you only grant admin rights via local group membership
    if the user has an account in the same domain as the computer account? Is
    the winlogon process able to include access tokens from the trusted forest?

    Thank you for any help you can provide.
    FigWiggleman, Jan 7, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.